[GWCTF 2019]pyre
<p>[TOC]</p>
<h1>🌓分析</h1>
<p>pyc文件逆向,直接在线反编译
<a href="https://tool.lu/pyc/">https://tool.lu/pyc/</a></p>
<pre><code class="language-python">#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 2.7
print 'Welcome to Re World!'
print 'Your input1 is your flag~'
l = len(input1)
for i in range(l):
num = ((input1[i] + i) % 128 + 128) % 128
code += num
for i in range(l - 1):
code[i] = code[i] ^ code[i + 1]
print code
code = [
'%1f',
'%12',
'%1d',
'(',
'0',
'4',
'%01',
'%06',
'%14',
'4',
',',
'%1b',
'U',
'?',
'o',
'6',
'*',
':',
'%01',
'D',
';',
'%',
'%13']</code></pre>
<p>这个网站反编译不是很好,可以再使用另一个
<a href="https://www.toolnb.com/tools/pyc.html">https://www.toolnb.com/tools/pyc.html</a></p>
<pre><code class="language-python"># uncompyle6 version 3.5.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.5 (default, Nov 16 2020, 22:23:17)
# [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
# Embedded file name: encode.py
# Compiled at: 2019-08-19 21:01:57
print 'Welcome to Re World!'
print 'Your input1 is your flag~'
l = len(input1)
for i in range(l):
num = ((input1[i] + i) % 128 + 128) % 128
code += num
for i in range(l - 1):
code[i] = code[i] ^ code[(i + 1)]
print code
code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13']</code></pre>
<p>可以根据脚本大概写出逆向脚本</p>
<h1>🌓Exploit</h1>
<pre><code class="language-python"># --run--
code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13']
l = len(code)
for i in range(l-2, -1, -1):
code[i] = chr(ord(code[i]) ^ ord(code[i+1]))
for i in range(l):
code[i] = chr((ord(code[i]) - i) % 128)
print(''.join(code))
# GWHT{Just_Re_1s_Ha66y!}</code></pre>
<h1>🌓附件</h1>
<p><a href="https://cowtransfer.com/s/4c44ef2389dd4f">https://cowtransfer.com/s/4c44ef2389dd4f</a></p>